linux exploit mitigation 1 - compass security · to understand exploit mitigations need to...
TRANSCRIPT
![Page 1: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/1.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Linux Exploit Mitigation
Dobin Rutishauser
V1.3, March 2016
![Page 2: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/2.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 2
About me
At Compass Security since 2011
Spoke at OWASP Zürich, Bsides Vienna
On the internet: � www.broken.ch, www.haking.ch, www.r00ted.ch, phishing.help
�@dobinrutis�github.com/dobin
![Page 3: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/3.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 3
About this presentation
To understand exploit mitigations
Need to understand exploit techniques
I’ll lead you all the way, from zero
In 45 minutes!
![Page 4: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/4.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 4
About this presentation
�Content of 8 hours for BFH�It will get very technical�Not possible to:
�Cover all the topics�And be easy to understand�And handle all the details
�This should give more of an … overview�Don’t worry if you don’t understand
everything
![Page 5: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/5.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Overview of the presentation
![Page 6: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/6.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 6
Overview
1. Memory Layout2. Stack3. Exploit Basics4. Exploit Mitigation
• DEP• Stack Protector• ASLR
5. Contemporary Exploiting6. Hardening7. Container8. Kernel
![Page 7: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/7.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 7
Exploit Intention
Attacker wants:�Execute his own code on the server
�rm –rf /�Connect-back shellcode�echo “sysadmin:::” >> /etc/passwd
![Page 8: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/8.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 8
Exploit Requirements
Attacker needs:�Be able to upload code to execute�Be able to hijack instruction flow
![Page 9: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/9.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 9
Memory Corruption Types
Memory Corruptions
Buffer Overflow� strcpy / strcat / memcpy�Write past allocated buffer� Minimum: 1 byte (off by one)
Alternative: Arbitrary Write� Can write certain memory area� Not in scope in this presentation
![Page 10: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/10.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 10
History intermezzo
Morris Worm in 1988, overflow in sendmail and finger
Around year 2000: Golden age of remote exploits
Team Teso (formatstring vulnerabilities)� PHP, Apache, telnetd, wu-ftpd, qpopper, …
w00w00 (heap overflows)� Efnet ircd, norton antivirus, AOL messenger, unixware stuff
Gobbles (putting the lulz in)� Apache Scalp
ADM (high quality exploits)� Bind, wu-imapd, …
![Page 11: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/11.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Userspace Memory Layout
![Page 12: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/12.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 12
Process Memory Layout
Stack
Heap
Code
0xc0000000
0x0804800
0xbfffffff
0x0000000
![Page 13: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/13.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 13
Process Memory Layout
Stack
Heap
Code
0xc0000000
0x0804800
Programmapping
0xbfffffff
0x0000000
char array[16];
malloc(16)
EIP
ESP
![Page 14: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/14.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 14
Userspace process data structures
Stack� There’s one contiguous memory region containing the stack for the process� LIFO – Last In, First Out� Contains function local variables� Also contains: Saved Instruction Pointer (SIP)� Current function adds data to the top (bottom) of the stack
Heap� There’s one contiguous memory region containing the heap� Memory allocator returns specific pieces of the memory region� For malloc()� Also contains: heap management data
Code� Compiled program code
![Page 15: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/15.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
How do they work?
Stacks
![Page 16: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/16.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 16
Stack
poppush
![Page 17: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/17.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 17
Stack
poppush
0x00010
0x10000
![Page 18: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/18.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 18
Stack
void main(void) {
int blubb = 0;
foobar(blubb);
return;
}
void foobar (int arg1) {
char compass1[];
char compass2[];
}
![Page 19: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/19.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 19
Stack Layout
SIPSaved IP (&__libc_start)
SFPSaved Frame Pointer
blubbLocal Variables <main>
Stack Frame
<main>
&blubbArgument arg1 for <foobar>
SIPSaved IP (&return)SFPSaved Frame Pointer
compass1
compass2
Local Variable 1
poppush
Stack Frame
<foobar>
Local Variable 2
![Page 20: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/20.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 20
Stack Layout
SIPSaved IP (&__libc_start)
SFPSaved Frame Pointer
blubbLocal Variables <main>
Stack Frame
<main>
&blubbArgument arg1 for <foobar>
SIPSaved IP (&return)SFPSaved Frame Pointer
compass1
compass2
Local Variable 1
poppush
Stack Frame
<foobar>
Local Variable 2
![Page 21: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/21.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 21
Stack
void main(void) {
int blubb = 0;
foobar(blubb);
return;
}
void foobar (int arg1) {
char compass1[];
char compass2[];
}
SIP
![Page 22: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/22.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 22
Stack Layout
SIP: Stored Instruction Pointer�Copy of EIP�Points to the address where control flow
continues after end of function�(return, ret)
�Usually points into the code section
![Page 23: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/23.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 23
Stack Layout
arg1SIPSFPlocalvar1
localvar2
poppush
0x0100
0xFFFF
Stack grows down
Writes go up
![Page 24: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/24.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 24
Recap! Memory Layout
User data is on the stack
Also: important stuff is on the stack (Instruction Pointer, SIP)
Stack grows down
Writes go up
![Page 25: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/25.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Stack Overflow Exploitation
![Page 26: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/26.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 26
Exploitation Basics
• Program execution HIGHLY predictable/deterministic• Which is kind of surprising
• Stack, Heap, Code all start at the same address
• Same functions gets called in the same order• And allocate the same sized buffers
• “Error/Overflow in function X”, every time:• Same call stack• Same variables• Same registers
![Page 27: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/27.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 27
Buffer Overflow Basic Layout
char buf1[16] EIP
0xFFFF0x0100
![Page 28: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/28.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 28
Buffer Overflow Basic Layout
strcpy(buf1, “AAAA AAAA AAAA AAAA”);
char buf1[16] EIP
AAAA AAAA AAAA AAAA FF12
Write up
(0xFF12 = address of previous function)
![Page 29: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/29.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 29
Buffer Overflow Basic Layout
strcpy(buf1, “AAAA AAAA AAAA AAAA BBBB”);
char buf1[16] EIP
AAAA AAAA AAAA AAAA BBBB
Attacker can call any code he wantsBut: What code?
![Page 30: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/30.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 30
Buffer Overflow Basic Layout
Problem: In-band signaling�Control data�User data
Like old telephone networks�2600 hz: Indicate line is free�With a 2600hz tone, you could phone
anywhere, for free�Oups, accidently created Legion of Doom
![Page 31: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/31.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 31
Buffer Overflow Basic Exploit
Return to Stack:
char buf1[16] EIP
AAAA AAAA AAAA AAAA BBBB
CODE CODE CODE CODE CODE &buf1
Jump to buffer with shellcode
![Page 32: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/32.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 32
Buffer Overflow Basic Exploit
char buf1[16] EIP
CODE CODE CODE CODE CODE AA00
Jump to buffer with shellcode
0xAA00
0xAA00
![Page 33: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/33.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Short description of shellcode
How is shellcode formed?
![Page 34: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/34.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 34
Shellcode!
![Page 35: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/35.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 35
Recap! Stack Overflow Exploit
Write past buffer on stack
Overwrite sIP
Point sIP to beginning of buffer
Place shellcode in buffer
Shellcode will be executed!
![Page 36: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/36.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Exploit Mitigations
![Page 37: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/37.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 37
Exploit Mitigations
• DEP
• Stack Canary
• ASLR
![Page 38: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/38.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Exploit Mitigation: DEP
![Page 39: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/39.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 39
DEP
DEP – Data Execution Prevention• Aka: No-Exec Stack• Aka: W^X (Write XOR eXecute)(OpenBSD)• Aka: NX (Non-Execute) Bit
AMD64 (x86-64) introduced NX bit in HW• Intel 32 bit architecture (starting from 80386) “saved” Xecute bit• For 32 bit, need PAE (Physical Address Extension, 32->36bit)• Or kernel patches like PaX
Linux:• Support in 2004, Kernel 2.6.8, default
![Page 40: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/40.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 40
Anti-Exploitation: No-Exec Stack
Permissions: rwx
CODE CODE CODE CODE CODE &buf1
jmp *buf1
![Page 41: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/41.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 41
Anti-Exploitation: No-Exec Stack
Permissions: rw-
CODE CODE CODE CODE CODE &buf1
jmp *buf1
“Segmentation Fault”
![Page 42: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/42.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 42
Read Only Stack
![Page 43: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/43.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 43
DEP: Memory Layout
Stack
Heap
Code
0x0000000
EIP r-x
rw-
rw-
![Page 44: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/44.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 44
Read Only Stack
![Page 45: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/45.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 45
Recap! DEP
Exploit Mitigation – DEP� Makes it impossible for an attacker to execute his own
shellcode� Code: eXecute (no write)� Heap, Stack: Write (no execute)
� No-no: Write and Execute� Sometimes necessary � Interpreted Languages� E.g. Java�Or JavaScript� Ähem *Browser* ähem
![Page 46: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/46.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Exploit Mitigation – Stack Protector
![Page 47: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/47.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 47
Exploit Mitigation – Stack Protector
• Aka:• SSP: Stack Smashing Protector• Stack Cookie• Stack Canary
• Secret value in front of control data
• Generated per-process• Not per-function
![Page 48: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/48.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 48
Exploit Mitigation – Stack Protector
char buf1[16] EIP
![Page 49: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/49.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 49
Exploit Mitigation – Stack Protector
char buf1[16] EIPsecret
char buf1[16] EIP
![Page 50: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/50.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 50
Exploit Mitigation – Stack Protector
char buf1[16] EIPsecret
CODE CODE CODE CODE AA00BBBB
char buf1[16] FF1255667
![Page 51: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/51.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 51
Exploit Mitigation – Stack Protector
CODE CODE CODE CODE AA00BBBB
char buf1[16] FF1255667
BBBB != 55667“Segmentation Fault”
![Page 52: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/52.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 52
Exploit Mitigation – Stack Protector
Stack Protector�GCC patch
�First: StackGuard in 1997�Then: ProPolice in 2001, by IBM
� Finally: Re-implement ProPolice in 2005 by RedHat�introduced in GCC 4.1�-fstack-protector
�Update: Better implementation by Google in 2012�-fstack-protector-strong
� Enabled since like forever by default�most distributions�most packages
![Page 53: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/53.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 53
Exploit Mitigation – Stack Protector
![Page 54: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/54.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Exploit Mitigation: ASLR
![Page 55: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/55.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 55
Exploit Mitigation - ASLR
• Code execution is surprisingly deterministic
• E.g. Network service:1. fork()2. Parse incoming data3. Buffer Overflow is happening at module X line Y
• On every exploit attempt, memory layout looks the same!
• Same stack/heap/code layout• Same address of the buffer(s)
• ASLR: Address Space Layout Randomization• Introduces randomness in memory regions
![Page 56: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/56.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 56
Memory Layout
Stack
Heap
Code0x0804800
0xbfffffff
![Page 57: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/57.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 57
Memory Layout
Stack
Heap
Code0x0804800
0x????????
0x????????
0x????????0x????????0x????????0x????????
![Page 58: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/58.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 58
Exploit Mitigation - ASLR
CODE CODE CODE CODE C &buf1
0xAA00
CODE CODE CODE CODE C AA00
0xAA00
![Page 59: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/59.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 59
Exploit Mitigation - ASLR
CODE CODE CODE CODE C &buf1
0xBB00
CODE CODE CODE CODE C AA00
0xBB00
AA00 != BB00“Segmentation Fault”
![Page 60: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/60.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 60
Exploit Mitigation - ASLR
Randomness is measured in entropy� Several restrictions
� Pages have to be page aligned: 4096 bytes = 12 bit� Very restricted address space in x32 architecture
� ~8 bit for stack (256 possibilities)� Much more space for x64
� ~22 bit for stack
Re-randomization� ASLR only applied on exec()
�With some bugs…� Not on fork()
![Page 61: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/61.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 61
Recap! ASLR
Randomize Memory Layout
Attacker can’t call/reference
�what he cant find
Default ASLR randomizes:
�Writeable locations�Stack�Heap
![Page 62: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/62.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 62
Recap! All Exploit Mitigations
Stack canary: detects/blocks overflows
DEP: makes it impossible to execute uploaded code
ASLR: makes it impossible to locate data
![Page 63: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/63.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Time for beer and pizza!
Stack canary, DEP, ASLR…so many protections…now I’m secure!
![Page 64: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/64.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 64
NO.
![Page 65: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/65.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
This was the simple part…
![Page 66: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/66.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Contemporary exploiting
![Page 67: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/67.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Defeating: Stack Canary
Contemporary exploiting
![Page 68: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/68.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 68
Exploiting: Stack Canary
• Stack canary protects only overflows
• Arbitrary write!char array[16];
array[userIndex] = 0;
• Also: Heap is not protected
• Also: Local Vars (function ptr) not protected
![Page 69: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/69.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 69
Exploiting: Stack Canary
Or… just bruteforce it!� 32 bit value, so 2^32 =~ 4 billion possibilities?� Example: 0x42A1B2C3
0x42 0xC30xB20xA1AAAAAAA
0x41 0xC30xB20xA1AAAAAAA A -> Crash
0x42 0xC30xB20xA1AAAAAAA B -> No crash
0x42 0xC30xB20x41AAAAAAA BA -> crash
0x42 0xC30xB20x42AAAAAAA BB -> crash
![Page 70: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/70.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 70
Exploiting: Stack Canary
• So: not 2^32 = 4 billion possibilities
• But: 4 * 8 = 4 * 256 = 1024 possibilities• 512 on average
![Page 71: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/71.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 71
Exploiting: Stack Canary
I lied a bit!
arg1Argument for <foobar>
SIPSaved IP (&main)
SFPSaved Frame Pointercompass1
compass2Local Variables <func>
poppush
Stack Frame
<foobar>
![Page 72: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/72.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 72
Recap: Defeating Stack Canary
• Defeat ASLR for free, because brute force sFP ☺
• Conclusion: Stack Canary is can be brute forced, or just circumvented
![Page 73: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/73.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Defeating: DEP
Contemporary exploiting
![Page 74: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/74.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 74
Exploiting: DEP - Memory Layout
Stack
Heap
Code0x0804800
rw-
rw-
r-x
![Page 75: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/75.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 75
Exploiting: DEP - ROP
• DEP does not allow execution of our own code
• But what about existing code?
• Code from binary, followed by a RET• Called “gadgets”
• Return Oriented Programming
![Page 76: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/76.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 76
Exploiting DEP: ROP Gadgets
ROPgadget
![Page 77: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/77.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 77
ROPgadget
ROPgadget.py --ropchain
![Page 78: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/78.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 78
Exploiting: DEP - Memory Layout
Stack
Heap
Code0x0804800
![Page 79: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/79.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 79
Exploiting: ROP
Stager:
• Allocate new RWX memory
• Copy rest of shellcode to newly allocated memory
• Execute it (jmp)
• Profit
![Page 80: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/80.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 80
Recap: Anti-DEP
Conclusion:
Code section is not randomized
Just smartly re-use existing code
![Page 81: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/81.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Defeating: ASLR
Contemporary exploiting
![Page 82: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/82.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 82
Exploiting: ASLR
I lied… again
![Page 83: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/83.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 83
Exploiting: ASLR – Memory Layout
Stack
Heap
Code0x0804800
0x????????
0x????????
![Page 84: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/84.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 84
Exploiting: ASLR – Memory Layout
Stack
Heap
Code0x0804800
Mappings0x????????
Libcsslliblibstdc++
![Page 85: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/85.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 85
Exploiting: ASLR – Memory Layout
Stack
Heap
Code0x0804800
Mappings
PLT
0x????????
![Page 86: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/86.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 86
Exploiting: ASLR – Memory Layout
Stack
Heap
Code
glibc
PLT
system()
system()
![Page 87: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/87.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 87
Exploiting: ASLR – ret2libc / ret2plt
• Defeats ASLR
• Also defeats DEP in one go ☺
• Just do: • EIP = &system@plt• arg = &meterpreter bash shellcode
• system(“/bin/bash nc –l –p 31337”)
![Page 88: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/88.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 88
Exploiting: ASLR
Other ASLR exploits:� Partial RIP overwrite
� little endianness: 0x11223344
buf 44 33 22 11 func1buf 52 33 22 11 func2
![Page 89: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/89.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 89
Exploiting: ASLR
Other ASLR exploits:� NOP sleds
� As often used with JavaScript�Heap spray a few megabytes…
NOP NOP NOP NOP NOP … CODE
![Page 90: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/90.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 90
Recap: Anti ASLR
Anti-ASLR:�Find static locations (like PLT)�Mis-use existing pointers�Spray & Pray
![Page 91: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/91.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 91
Recap! Exploit Mitigation Exploits
All three exploit mitigations can be defeated by black magic
Easily
Is there a solution?
![Page 92: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/92.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 92
The solution
The solution to all problems… PIE
![Page 93: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/93.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 93
Exploit Mitigation++
• Fix: • Compile as PIE• PIE: Position Independent Executable• Will randomize Code and PLT, too
• Note: • Shared libraries are PIC
• (Position Independent Code)• Because they don’t know where they are being loaded
![Page 94: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/94.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 94
Exploiting: ASLR for code: PIE
Stack
Heap
Code 0x???????
Mappings
PLT
0x????????
0x???????
![Page 95: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/95.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Ok ok, everything is now ASLR’dand secureCan I get my pizza now?
![Page 96: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/96.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 96
![Page 97: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/97.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 97
ASLR vs Information Leak
ASLR assumes attacker can’t get information
What if they can?
Meet: Memory Leak
![Page 98: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/98.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 98
ASLR vs Memory Leak
send(socket, buf1, sizeof(int) * 16, NULL);
Oups, attacker got 64 bytes back
�Pointer to stack, code, heap�Can deduce base address
char buf1[16] EIPSFP*ptr
![Page 99: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/99.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 99
ASLR vs Memory Leak
send(socket, buf1, sizeof(int) * 16, NULL);
char buf1[16] EIPSFP*ptr
char buf1[16] EIPSFP*ptr
![Page 100: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/100.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 100
Exploiting: ASLR for code: PIE
Stack?
Heap?
Code?0xbfbfbfbf
0xaabbccdd
0xddeeffaa
Real Stack
Real Heap
Real Code
![Page 101: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/101.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 101
TL;DR
Enable ALL the mitigations (DEP, ASLR w/PIE, Stack Protector)
Defeat ALL the mitigations:
� ROP shellcode as stager to defeat DEP� Information leak to defeat ASLR�Non sIP-based stack-overflow vulnerability
![Page 102: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/102.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 102
Comparison
Stack
Canary
Stack Overflow
Inter-Chunk Heap Overflow
Arbitrary Write
Use After Free
Type confusion
![Page 103: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/103.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 103
Comparison
DEP ASLR
DEP +
ASLR
PIE +
DEP +
ASLR
Shellcode
Shellcode + Heap Spray
Shellcode + Info Leak
Ret2libc
Ret2plt
Ret2plt + Infoleak
ROP
ROP + Info Leak
![Page 104: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/104.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 104
Recap! Recap!
There are multiple Exploit Mitigations
All fail with the right vulnerability
But: They make exploit development harder
Somewhat
As shown in CTF’s at hacker cons, vulnscan be identified and a reliable exploit developed in a few hours
� While being drunk� Int3pids, dragon sector, shellphish, etc. � Tomorrow, 17:30, Insomnihack Geneve
![Page 105: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/105.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Linux Hardening
![Page 106: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/106.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 106
Exploit Mitigations
Enable DEP:
� Default since like forever� (for old cpus: kernel.exec-shield = 1)� To disable for a binary: gcc -z noexecstack
Enable ASLR:
� Default since like forever� /proc/sys/kernel/randomize_va_space = 2
Enable Stack protector:
� -fstack-protector (Default)� -fstack-protector-all (ALL Functions)� -fstack-protector-strong (Better)
![Page 107: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/107.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 107
Anti-Exploitation - Hardening
More Compiler options:� -D_FORTIFY_SOURCE=2
� FORTIFY_SOURCE provides (lightweight) buffer overflow checks for the following functions:
� memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, gets.
� Compile time warnings� Default in Ubuntu
� Formatstring� Default in Ubuntu� -Wformat -Wformat-security
� Full Static Relocation:� Default in Ubuntu� -Wl,-z-,relro -Wl,-z,now
� Position independent code � NOT Default in Ubuntu (performance penalty)� -pie –fPIE
![Page 108: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/108.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 108
Ubuntu Packages Compiled as PIE
![Page 109: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/109.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 109
Check: Checksec
Ubuntu 14.04
Kernel config: /boot/config-3.13.0-24-generic
GCC stack protector support: Enabled
Strict user copy checks: Disabled
Enforce read-only kernel data: Enabled
Restrict /dev/mem access: Enabled
Restrict /dev/kmem access: Enabled
* grsecurity / PaX: No GRKERNSEC
The grsecurity / PaX patchset is available here:
http://grsecurity.net/
* Kernel Heap Hardening: No KERNHEAP
The KERNHEAP hardening patchset is available here:
https://www.subreption.com/kernheap/
![Page 110: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/110.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 110
Check: Paxtest
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
![Page 111: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/111.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 111
Check: Paxtest
Anonymous mapping randomization test : 28 quality bits (guessed)
Heap randomization test (ET_EXEC) : 13 quality bits (guessed)
Heap randomization test (PIE) : 28 quality bits (guessed)
Main executable randomization (ET_EXEC) : 28 quality bits (guessed)
Main executable randomization (PIE) : 28 quality bits (guessed)
Shared library randomization test : 28 quality bits (guessed)
VDSO randomization test : 11 quality bits (guessed)
Stack randomization test (SEGMEXEC) : 28 quality bits (guessed)
Stack randomization test (PAGEEXEC) : 28 quality bits (guessed)
Arg/env randomization test (SEGMEXEC) : 20 quality bits (guessed)
Arg/env randomization test (PAGEEXEC) : 20 quality bits (guessed)
Randomization under memory exhaustion @~0: 28 bits (guessed)
Randomization under memory exhaustion @0 : 28 bits (guessed)
Return to function (strcpy) : return addr has NULL byte
Return to function (memcpy) : Vulnerable
Return to function (strcpy, PIE) : return addr has NULL byte
Return to function (memcpy, PIE) : Vulnerable
![Page 112: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/112.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
The non-standard stuff
Advanced Linux hardening
![Page 113: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/113.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 113
Advanced Hardening - Grsecurity
Grsecurity
Uses PaX� Kernel patch� Improved DEP and ASLR� For userspace� And kernelspace protection (e.g. SMAP emulation)� Better randomness, more randomness
Also provides:� Chroot hardening� Hide /proc stuff� Ptrace restrictions� Kernel module loading restrictions� RBAC (Role Based Access Control)
![Page 114: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/114.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Ok I now know everything, pizza?
![Page 115: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/115.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Linux Container
Container
![Page 116: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/116.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 116
Linux Container
Relevant?� TEH CLOUD
Container: All container share the same kernel� LXC� Docker� FreeBSD Jails (since March 2000)� Solaris Zones� Obsolete: Vserver, openvz
Virtualization: Each guest has his very own kernel� Vmware, virtualbox, kvm, …� Not covered here
RBAC’s� SELinux (redhat), Apparmour (Suse), …� Not convered here
![Page 117: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/117.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 117
! Container
• Chroot is not a container• Path restriction only• But: Can access other processes, the kernel, IPC, etc.
![Page 118: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/118.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 118
LXC - Namespaces
LXC/Docker: Use namespaces for containerization�Restrict view/access of certain processes
![Page 119: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/119.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 119
LXC
Lxc container cannot:• Interact with host processes• Access root file system• Access special devices (block, network, …)• Mount filesystems• Execute special ioctl’s
Lxc container can access:• /proc: certain files• /sys: certain files• Do a lot of other stuff
![Page 120: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/120.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Userspace vs. kernelspace
LXC container share their Kernel…Wait – what about Kernel security?
![Page 121: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/121.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Protecting the kernelspace
Linux Kernel
![Page 122: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/122.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 122
Linux Kernel Attack Surface
![Page 123: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/123.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 123
Linux Kernel Syscalls
![Page 124: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/124.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 124
Linux Kernel Protection Mechanisms
So, what about the Linux Kernel?
ASLR: No� kASLR� Since Kernel 3.14� Disabled by default in most distributions� Weaker than userspace (less entropy)
� But: crash in kernel is very noticable
DEP: Yes� But some pages are W & X…
� Because of X86 (BIOS etc. )� Therefore, not so useful
Stack Protector: YES
FORTIFY_SOURCE: YES
![Page 125: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/125.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 125
Linux Kernel CPU Security Features
Modern kernel protections by CPU support
SMEP: Supervisor Mode Execution Protection� Deny Kernel execution from userspace memory (ret2usr)� Since Kernel 3.0� Needs CPU support: Ivy Bridge ++� Enabled by default in modern distributions� Workaround: In-kernel ROP� cat /proc/cpuinfo | grep smep
SMAP: Supervisor Mode Access Prevention� Deny Kernel direct access to userspace memory� Since Kernel 3.7� Needs CPU support: Broadwell ++� Enabled by default in modern distributions
2012: Ivy Bridge (e.g. i7 48xx, 49xx)2013: Haswell (e.g. i7 47xx)2014: Broadwell (e.g. i7 56xx, 55xx, 58xx, 59xx)2015: Skylake (e.g. i7 65xx, 66xx, 67xx, 68xx, 69xx)
![Page 126: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/126.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 126
Linus on security
![Page 127: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/127.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 127
http://yarchive.net/comp/linux/security_bugs.html
http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/
![Page 128: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/128.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 128
Linux Kernel Politics
Infrastructure people� Don’t know they are there, except when something breaks
8 stable kernel trees!� And Distros have their own stable kernels…
Actively hide security fixes in commit messages� And they are honest about this
Distros in charge of security� Is this good or not?
Conclusion:� Important security fixes are maybe not backported to stable kernels
![Page 129: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/129.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 129
Kernel Hardening
Reduce features!� Make menuconfig� Remove:
� Drivers� CVE-2016-2384: arbitrary code execution due to a double-
free in the usb-midi linux kernel driver� Features� Protocols
Use grsecurity / PaX
Use current CPU
Enable kASLR
![Page 130: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/130.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 130
Kernel Hardening
Seccomp-bpf� Seccomp: Since Kernel 2.6.12 (2005)� Seccomp-bpf: Since Kernel 3.5 (2012)� Whitelist (blacklist) system calls
� E.g. exit(), read(), write(), …� Who cares?
�Chrome-Flash, Chrome-Renderer, vsftpd, OpenSSH, Firefox, Tor, …
![Page 131: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/131.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 131
Kernel Hardening
FS hardening� /proc� /sys� /dev/[zero, null, urandom]� Nothing else
AppArmour� “additional restrictions on mounts, socket, ptrace and file access. Specifically
restricting cross-container communication.”
![Page 132: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/132.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 132
Linux Kernel Attack Surface
Seccomp-bpf
FS RestrictionAppArmour
![Page 133: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/133.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 133
Recap! Linux Kernel
Container share same Kernel
Kernel is not very secure
![Page 134: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/134.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Conclusion
![Page 135: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/135.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 135
Recap! Recap!
Want more security?�Compile everything as PIE
Even more?�Grsecurity Kernel patch
More Kernel security?� Strip kernel of features� Seccomp-bpf
-> Or better: Ask your distribution to do it! <-
![Page 136: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/136.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 136
Recap! Recap!
The good news:
Most companies get owned by web vuln’s anyway� SQL injection� Shell upload
Or social engineering…
![Page 137: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/137.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
Questions?
![Page 138: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/138.jpg)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security Schweiz AGWerkstrasse 20Postfach 2038CH-8645 Jona
When I’m quick:More slides (backup slides)
![Page 139: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/139.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 139
Advanced Hardening - CLANG CFI
Clang is a C/C++ frontend for LLVM
Has Control Flow Integrity!
� -fsanitize=cfi� Mostly helps against type confusion attacks
� -fsanitize=cfi-cast-strict: Enables strict cast checks� -fsanitize=cfi-derived-cast: Base-to-derived cast to the wrong dynamic type.� -fsanitize=cfi-unrelated-cast: Cast from void* or another unrelated type to the wrong
dynamic type.� -fsanitize=cfi-nvcall: Non-virtual call via an object whose vptr is of the wrong dynamic
type.� -fsanitize=cfi-vcall: Virtual call via an object whose vptr is of the wrong dynamic type.� -fsanitize=cfi-icall: Indirect call of a function with wrong dynamic type.
![Page 140: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/140.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 140
Hipster exploiting
Blind ROP� Brute force all ROP gadgets� Based on replies (Crash, Freeze, No Crash)� No need to know anything about the process (don’t even need binary!)
Sigreturn oriented programming� Use signal handler to invoke code� Does not need as many gadgets as normal ROP (just “syscall; ret”)
![Page 141: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/141.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 141
Clang Compiler
Frontend for LLVM (compiles C to LLVM IR)
SafeStack� -fsanitize=safe-stack� Split stack into safe- (SIP etc.) and unsafe stack
![Page 142: Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions](https://reader036.vdocuments.mx/reader036/viewer/2022081504/5f0ac7957e708231d42d4d66/html5/thumbnails/142.jpg)
© Compass Security Schweiz AG www.csnc.ch Seite 142
Clang Compiler: Address Sanitizer
• Detects memory corruption bugs
• Heavy performance penalty
• Do not use in production!
• http://www.openwall.com/lists/oss-security/2016/02/17/9
� Also: KASAN (KernelAddressSanitizer)